#592358 by John Morahan, dww: SA-CONTRIB-2009-066: XSS via group descriptions. 5.x-8.1
authorDerek Wright
Wed, 30 Sep 2009 19:11:28 +0000 (19:11 +0000)
committerDerek Wright
Wed, 30 Sep 2009 19:11:28 +0000 (19:11 +0000)
og.module

index b521550..24744ad 100644 (file)
--- a/og.module
+++ b/og.module
@@ -1095,11 +1095,13 @@ function og_page_activity() {
 // 
 function og_view_group(&$node, $teaser = FALSE, $page = FALSE) {
   if ($teaser || !$page) {
-    $node->content['og_description'] = array(
-      '#type' => 'item',
-      '#title' => t('Description'),
-      '#value' => $node->og_description,
+    if (!empty($node->og_description)) {
+      $node->content['og_description'] = array(
+        '#type' => 'item',
+        '#title' => t('Description'),
+        '#value' => check_plain($node->og_description),
       );
+    }
   }
   else {
     $bc[] = array('path' => "og", 'title' => t('Groups'));